Jump to content
Sign in to follow this  
Maple

CPU 100%; suspected malware

Recommended Posts

Hi,

 

I would greatly appreciate your assistance with a potential malware problem.

 

Quick summary:

 

My computer has slowed to a crawl, with CPU usage at 100%. Task Manager shows that the main CPU-consuming process is “System.”

 

In addition, when I recently pasted into MS Word 2007, I was alarmed to see that the clipboard contained perfect screen captures of every Word and Excel file that I had opened during the previous 24 hours.

 

Additional info:

 

Several weeks ago, my Dell PC mysteriously began overheating and shutting down. At boot-up, the system log contained error messages that the fan and CPU temperature were out of range. I carefully cleaned some dust inside the PC and ran the hardware diagnostic utilities, which the PC passed. Next, I had an expert PC-repair technician examine the computer; he said that the fan and motherboard were fine. He recommended reinstalling XP.

 

Reinstalling Win XP Pro (SP3) solved the problem for about 2.5 weeks. Now, the issue has resurfaced, even when booting in safe mode. Using System Restore also has not fixed the problem.

 

A complete scan of the PC with Norton IS 2009 and Webroot SpySweeper 6.0.2, using the latest definitions, found nothing awry. I also did a full scan using Kaspersky’s online scanner, as well as a full scan with Malwarebytes’ Anti-Malware, using the latest updates; neither program found any viruses/malware.

 

After the PC started to misbehave, I searched for new or recently modified files using “My Computer,” then did a print-screen and pasted the results into Word 2007. As noted above, it was then that I was alarmed to discover that the clipboard contained screen captures of all my recently opened MS Office documents, including ones that I had not copied/pasted/modified.

 

I found a mysterious toolbar, CLView12, that had been newly placed into the Application Data\Microsoft\Office subdirectory, as well as a mystery .exe file (C:\WINDOWS\Prefetch\CLVIEW.EXE-1013077A.pf). I scanned both files, as well as my Excel macro workbook (Personal.xls), with VirusTotal’s online scanner, which detected nothing abnormal.

 

I ran ATF Cleaner (“Select All” and “Empty Selected” actions for both Main and Firefox menus), to no avail.

 

The HJT log is posted below. Any help you can provide will be greatly appreciated.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:59:15 PM, on 1/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe

C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\DELLMMKB.EXE

C:\Program Files\Netropa\OSD.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\tbctray.exe

C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Webroot\WebrootSecurity\SSU.EXE

C:\Computer security\HijackThis\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll

O4 - HKLM\..\Run: [DellTouch] "C:\WINDOWS\DELLMMKB.EXE"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install

O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TraySantaCruz] "C:\WINDOWS\system32\tbctray.exe"

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"

O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://download.windowsupdate.com

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229622580468

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

 

--

End of file - 6482 bytes

Share this post


Link to post
Share on other sites

Welcome to The Pit Maple,

 

CLView.exe is the Microsoft Office Help Client Viewer

 

 

Nothing apparent in the HijackThis log, so I'd like to get a couple more logs that give us a more comprehensive look at things. Please download DDS and save it to your desktop.

  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
Please include the contents of both logs in your next reply. The scan will instruct you to post the attach log as an attachment. No need for that though ..... just post it as you would any other log.

 

 

Addiditonally, download GMER Rootkit Scanner from here.

  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in ark.txt
Save it where you can easily find it, such as your desktop then post the contents here.

 

**Caution**

Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

Share this post


Link to post
Share on other sites

Thanks for your help, noahdfear.

 

Below are the logs that you requested, plus a ComboFix log that I didn't include in my first post.

 

 

---------

 

DDS (Ver_09-01-07.01) - NTFSx86

Run by Andy at 20:44:21.65 on Mon 01/12/2009

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.653 [GMT -5:00]

 

AV: Norton Internet Security *On-access scanning disabled* (Updated)

FW: Webroot Internet Security Essentials *disabled*

FW: Norton Internet Security *disabled*

 

============== Running Processes ===============

 

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

C:\WINDOWS\DELLMMKB.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Netropa\OSD.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\tbctray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Andy\Desktop\dds.scr

 

============== Pseudo HJT Report ===============

 

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.2.0.7\IPSBHO.DLL

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.2.0.7\coIEPlg.dll

uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"

mRun: [DellTouch] "c:\windows\DELLMMKB.EXE"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install

mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [TraySantaCruz] "c:\windows\system32\tbctray.exe"

mRun: [spySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartw~1.lnk - c:\program files\netgear\wg111 configuration utility\WG111CFG.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: microsoft.com\*.update

Trusted Zone: windowsupdate.com\download

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.2.0.7\CoIEPlg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\andy\applic~1\mozilla\firefox\profiles\tbxuoa66.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

 

============= SERVICES / DRIVERS ===============

 

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2008-12-18 255536]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2008-12-18 362544]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090109.001\IDSxpx86.sys [2009-1-12 274808]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-18 99376]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090112.003\NAVENG.SYS [2009-1-12 89104]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090112.003\NAVEX15.SYS [2009-1-12 876112]

R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2008-12-12 144768]

R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2008-12-12 545088]

R4 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.2.0.7\ccSvcHst.exe [2008-12-18 115560]

R4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2008-11-12 3667312]

R4 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-1-6 1086840]

 

=============== Created Last 30 ================

 

2009-01-09 13:46 73,728 a------- c:\windows\system32\javacpl.cpl

2009-01-09 12:30 <DIR> a-dshr-- C:\cmdcons

2009-01-09 12:29 161,792 a------- c:\windows\SWREG.exe

2009-01-09 12:29 98,816 a------- c:\windows\sed.exe

2009-01-09 12:01 410,984 a------- c:\windows\system32\deploytk.dll

2009-01-09 00:43 <DIR> --d----- c:\program files\SpeedFan

2009-01-09 00:43 45 a------- c:\windows\system32\initdebug.nfo

2009-01-08 11:14 <DIR> --d----- c:\program files\MSXML 4.0

2009-01-07 18:14 <DIR> --d----- c:\docume~1\andy\applic~1\Malwarebytes

2009-01-07 18:13 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-01-07 18:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-07 18:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-01-07 18:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-01-07 18:05 <DIR> --d----- C:\Computer security

2009-01-06 23:20 1,553,272 a------- c:\windows\WRSetup.dll

2009-01-06 23:20 <DIR> --d----- c:\program files\Webroot

2009-01-06 23:20 <DIR> --d----- c:\docume~1\andy\applic~1\Webroot

2009-01-06 23:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot

2009-01-06 23:06 164 a------- C:\install.dat

2009-01-06 23:04 <DIR> --d----- C:\Spy Sweeper

2009-01-06 13:06 664 a------- c:\windows\system32\d3d9caps.dat

2008-12-27 18:19 <DIR> --d-h--- c:\windows\system32\GroupPolicy

2008-12-19 20:33 88,566 a------- c:\windows\system32\nvapps.xml

2008-12-19 20:33 208,896 a------- c:\windows\system32\nvudisp.exe

2008-12-19 20:33 17,056 a------- c:\windows\system32\nvdisp.nvu

2008-12-19 20:32 208,896 a------- c:\windows\system32\NVUNINST.EXE

2008-12-19 20:32 <DIR> --d----- C:\NVIDIA

2008-12-19 20:19 <DIR> --d----- c:\program files\SystemRequirementsLab

2008-12-19 18:55 248,448 a------- c:\windows\system32\PROUnstl.exe

2008-12-19 18:52 <DIR> --d----- c:\program files\Windows Media Connect 2

2008-12-19 18:51 <DIR> --d----- c:\windows\system32\LogFiles

2008-12-19 18:46 <DIR> --d----- c:\windows\nview

2008-12-19 18:45 <DIR> --d----- c:\program files\CONEXANT

2008-12-19 18:43 <DIR> --d----- c:\windows\system32\URTTemp

2008-12-19 17:29 30,512 a------- c:\windows\system32\mdimon.dll

2008-12-19 17:24 <DIR> --d----- c:\windows\SHELLNEW

2008-12-19 16:14 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys

2008-12-19 15:50 376 a------- c:\windows\ODBC.INI

2008-12-19 15:43 268,648 a------- c:\windows\system32\mucltui.dll

2008-12-19 15:43 27,496 a------- c:\windows\system32\mucltui.dll.mui

2008-12-18 19:32 107,368 a------- c:\windows\system32\GEARAspi.dll

2008-12-18 19:32 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys

2008-12-18 19:31 <DIR> --d----- c:\program files\iPod

2008-12-18 19:31 <DIR> --d----- c:\program files\iTunes

2008-12-18 19:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-18 19:31 <DIR> --d----- c:\program files\Bonjour

2008-12-18 17:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec

2008-12-18 17:11 <DIR> --d--r-- c:\program files\Norton Support

2008-12-18 14:56 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys

2008-12-18 13:52 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll

2008-12-18 13:52 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat

2008-12-18 13:52 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui

2008-12-18 13:52 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll

2008-12-18 13:52 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll

2008-12-18 13:52 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll

2008-12-18 13:52 63,488 -c------ c:\windows\system32\dllcache\icardie.dll

2008-12-18 13:52 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll

2008-12-18 13:52 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe

2008-12-18 13:23 <DIR> --d----- c:\windows\system32\scripting

2008-12-18 13:23 <DIR> --d----- c:\windows\l2schemas

2008-12-18 13:23 <DIR> --d----- c:\windows\system32\en

2008-12-18 13:23 <DIR> --d----- c:\windows\system32\bits

2008-12-18 13:20 <DIR> --d----- c:\windows\ServicePackFiles

2008-12-18 13:16 <DIR> --d----- c:\windows\network diagnostic

2008-12-18 13:02 104,960 -------- c:\windows\system32\drivers\atinrvxx.sys

2008-12-18 12:52 272,128 -c------ c:\windows\system32\dllcache\bthport.sys

2008-12-18 12:51 138,496 -c------ c:\windows\system32\dllcache\afd.sys

2008-12-18 12:51 333,824 -c------ c:\windows\system32\dllcache\srv.sys

2008-12-18 12:50 826,368 -c------ c:\windows\system32\dllcache\wininet.dll

2008-12-18 12:50 1,160,192 -c------ c:\windows\system32\dllcache\urlmon.dll

2008-12-18 12:50 1,499,136 -c------ c:\windows\system32\dllcache\shdocvw.dll

2008-12-18 12:49 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys

2008-12-18 12:49 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe

2008-12-18 12:49 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe

2008-12-18 12:49 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe

2008-12-18 12:49 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe

2008-12-18 12:49 3,593,216 -c------ c:\windows\system32\dllcache\mshtml.dll

2008-12-18 12:49 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys

2008-12-18 12:49 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys

2008-12-18 12:49 331,776 -c------ c:\windows\system32\dllcache\msadce.dll

2008-12-18 12:49 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll

2008-12-18 12:48 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll

2008-12-18 12:48 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

2008-12-18 12:48 <DIR> --dsh--- c:\documents and settings\andy\UserData

2008-12-18 12:47 <DIR> --d----- c:\windows\system32\PreInstall

2008-12-18 12:47 26,488 a------- c:\windows\system32\spupdsvc.exe

2008-12-18 12:35 60,808 a------- c:\windows\system32\S32EVNT1.DLL

2008-12-18 12:35 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS

2008-12-18 12:35 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT

2008-12-18 12:35 806 a------- c:\windows\system32\drivers\SYMEVENT.INF

2008-12-18 12:35 <DIR> --d----- c:\program files\Symantec

2008-12-18 12:35 <DIR> --d----- c:\program files\common files\Symantec Shared

2008-12-18 12:35 <DIR> --d----- c:\windows\system32\drivers\NIS

2008-12-18 12:35 <DIR> --d----- c:\program files\Norton Internet Security

2008-12-18 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton

2008-12-18 12:26 <DIR> --d----- c:\program files\NortonInstaller

2008-12-18 12:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller

 

==================== Find3M ====================

 

2008-12-18 17:26 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2008-12-12 20:00 21,640 a------- c:\windows\system32\emptyregdb.dat

2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll

2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll

2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll

 

============= FINISH: 20:48:52.06 ===============

 

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_09-01-07.01)

 

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 12/12/2008 8:06:00 PM

System Uptime: 1/12/2009 10:49:34 AM (10 hours ago)

 

Motherboard: Dell Computer Corp. | |

Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2784/133mhz

 

==== Disk Partitions =========================

 

A: is Removable

C: is FIXED (NTFS) - 112 GiB total, 91.522 GiB free.

D: is CDROM ()

 

==== Disabled Device Manager Items =============

 

==== System Restore Points ===================

 

RP1: 12/12/2008 8:26:54 PM - System Checkpoint

RP2: 12/12/2008 8:29:14 PM - Installed NETGEAR WG111 Software

RP3: 12/12/2008 8:30:36 PM - Unsigned driver install

RP4: 12/12/2008 8:56:54 PM - Printer Driver HP LaserJet 2200 Series PCL 6 Installed

RP5: 12/13/2008 9:13:55 PM - System Checkpoint

RP6: 12/13/2008 10:24:20 PM - Andy restore point, clean XP, before apps and XP updates installed

RP7: 12/18/2008 12:47:32 PM - Software Distribution Service 3.0

RP8: 12/18/2008 12:51:10 PM - Software Distribution Service 3.0

RP9: 12/18/2008 1:07:34 PM - Software Distribution Service 3.0

RP10: 12/18/2008 1:33:58 PM - Software Distribution Service 3.0

RP11: 12/18/2008 1:46:31 PM - Software Distribution Service 3.0

RP12: 12/18/2008 1:57:59 PM - Software Distribution Service 3.0

RP13: 12/18/2008 2:00:42 PM - Software Distribution Service 3.0

RP14: 12/18/2008 7:31:45 PM - Installed iTunes

RP15: 12/18/2008 8:50:55 PM - Installed Adobe Reader 9.

RP16: 12/19/2008 3:48:59 PM - Installed Microsoft FrontPage 2002

RP17: 12/19/2008 3:57:02 PM - Installed Microsoft Office FrontPage 2003

RP18: 12/19/2008 5:22:45 PM - Installed Microsoft Office Professional 2007

RP19: 12/19/2008 5:29:53 PM - Printer Driver Microsoft Office Document Image Writer Installed

RP20: 12/19/2008 6:00:20 PM - Software Distribution Service 3.0

RP21: 12/19/2008 6:43:21 PM - Software Distribution Service 3.0

RP22: 12/19/2008 7:07:12 PM - Software Distribution Service 3.0

RP23: 12/20/2008 2:53:45 AM - Configured Microsoft Office Professional 2007

RP24: 12/20/2008 3:00:13 AM - Software Distribution Service 3.0

RP25: 12/20/2008 3:06:22 AM - Software Distribution Service 3.0

RP26: 12/21/2008 3:51:56 AM - System Checkpoint

RP27: 12/23/2008 10:57:32 PM - System Checkpoint

RP28: 12/27/2008 10:35:44 PM - System Checkpoint

RP29: 12/28/2008 11:31:21 PM - System Checkpoint

RP30: 12/30/2008 1:43:29 PM - System Checkpoint

RP31: 12/31/2008 7:49:59 PM - System Checkpoint

RP32: 1/1/2009 8:11:30 PM - System Checkpoint

RP33: 1/2/2009 8:22:35 PM - System Checkpoint

RP34: 1/3/2009 10:54:38 PM - System Checkpoint

RP35: 1/4/2009 11:09:48 PM - System Checkpoint

RP36: 1/5/2009 9:59:19 PM - Restore Operation

RP37: 1/6/2009 10:48:01 AM - Restore Operation

RP38: 1/6/2009 10:50:11 AM - Restore Operation

RP39: 1/6/2009 10:52:13 AM - Restore Operation

RP40: 1/6/2009 10:54:19 AM - Restore Operation

RP41: 1/6/2009 11:02:40 AM - Restore Operation

RP42: 1/6/2009 11:05:01 AM - Restore Operation

RP43: 1/6/2009 11:10:32 AM - Restore Operation

RP44: 1/7/2009 3:50:08 PM - System Checkpoint

RP45: 1/8/2009 11:14:17 AM - Software Distribution Service 3.0

RP46: 1/9/2009 12:00:55 PM - Installed Java 6 Update 11

RP47: 1/9/2009 12:29:31 PM - ComboFix created restore point

RP48: 1/9/2009 1:12:20 PM - Removed Java 6 Update 11

RP49: 1/9/2009 1:18:55 PM - Installed Java 6 Update 11

RP50: 1/9/2009 1:42:29 PM - Removed Java 6 Update 11

RP51: 1/9/2009 1:45:44 PM - Installed Java 6 Update 11

RP52: 1/12/2009 11:36:02 AM - System Checkpoint

 

==== Installed Programs ======================

 

2007 Microsoft Office Suite Service Pack 1 (SP1)

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9

Apple Mobile Device Support

Apple Software Update

Bonjour

Conexant HSF V92 56K RTAD Speakerphone PCI Modem

Dell ResourceCD

DellTouch

HijackThis 2.0.2

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

HP LaserJet 2200 Uninstaller

Intel® Network Connections Drivers

iTunes

Java 6 Update 11

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office FrontPage 2003

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

Microsoft User-Mode Driver Framework Feature Pack 1.0

Mozilla Firefox (3.0.5)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 and SOAP Toolkit 3.0

NETGEAR WG111 Software

Norton Internet Security

NVIDIA Drivers

QuickTime

Santa Cruz

Security Update for 2007 Microsoft Office System (KB951550)

Security Update for 2007 Microsoft Office System (KB951944)

Security Update for 2007 Microsoft Office System (KB958439)

Security Update for Microsoft Office Excel 2007 (KB958437)

Security Update for Microsoft Office PowerPoint 2007 (KB951338)

Security Update for Microsoft Office Publisher 2007 (KB950114)

Security Update for Microsoft Office system 2007 (KB954326)

Security Update for Microsoft Office system 2007 (KB956828)

Security Update for Microsoft Office Word 2007 (KB956358)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB960714)

Spy Sweeper

Spy Sweeper Core

System Requirements Lab

Update for Microsoft Office 2007 Help for Common Features (KB957244)

Update for Microsoft Office Access 2007 Help (KB957241)

Update for Microsoft Office Excel 2007 Help (KB957242)

Update for Microsoft Office Outlook 2007 (KB952142)

Update for Microsoft Office Outlook 2007 Help (KB957246)

Update for Microsoft Office PowerPoint 2007 Help (KB957247)

Update for Microsoft Office Publisher 2007 Help (KB957249)

Update for Microsoft Office Word 2007 Help (KB957252)

Update for Microsoft Script Editor Help (KB957253)

Update for Office 2007 (KB946691)

Update for Outlook 2007 Junk Email Filter (kb958619)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

 

==== Event Viewer Messages From Past Week ========

 

1/6/2009 11:09:56 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

1/6/2009 11:09:57 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

1/6/2009 11:10:01 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

1/6/2009 11:17:39 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

1/6/2009 11:20:50 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.

1/6/2009 11:20:50 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

1/6/2009 1:06:49 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 ccHP eeCtrl Fips IDSxpx86 intelppm OMCI SRTSPX SYMTDI

1/6/2009 2:21:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

1/8/2009 2:28:51 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

1/8/2009 2:30:38 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

1/8/2009 10:58:57 AM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.

1/11/2009 1:22:23 AM, error: Dhcp [1002] - The IP address lease 10.0.1.3 for the Network Card with network address 000FB59133EF has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

1/11/2009 8:19:45 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

1/11/2009 8:19:45 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

 

==== End Of File ===========================

 

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-01-12 21:49:51

Windows 5.1.2600 Service Pack 3

 

 

---- System - GMER 1.0.14 ----

 

SSDT 86543820 ZwAlertResumeThread

SSDT 8654E0F0 ZwAlertThread

SSDT 85708730 ZwAllocateVirtualMemory

SSDT 86534F30 ZwAssignProcessToJobObject

SSDT 86542B58 ZwConnectPort

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF5AA5020]

SSDT 85705DE0 ZwCreateMutant

SSDT 867D99A0 ZwCreateProcess

SSDT 867D9928 ZwCreateProcessEx

SSDT 85705828 ZwCreateSymbolicLinkObject

SSDT 865A2760 ZwCreateThread

SSDT 86536200 ZwDebugActiveProcess

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF5AA52A0]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF5AA5800]

SSDT 85708808 ZwDuplicateObject

SSDT 85706808 ZwFreeVirtualMemory

SSDT 8653D628 ZwImpersonateAnonymousToken

SSDT 8653E0A8 ZwImpersonateThread

SSDT 865A7C40 ZwLoadDriver

SSDT 865A23B8 ZwMapViewOfSection

SSDT 8653A1B8 ZwOpenEvent

SSDT 856F5CB8 ZwOpenProcess

SSDT 86587280 ZwOpenProcessToken

SSDT 86537188 ZwOpenSection

SSDT 85708898 ZwOpenThread

SSDT 857058B8 ZwProtectVirtualMemory

SSDT 867925C0 ZwQueueApcThread

SSDT 86792458 ZwReadVirtualMemory

SSDT 867D9B80 ZwRenameKey

SSDT 86694F68 ZwResumeThread

SSDT 865B37B0 ZwSetContextThread

SSDT 867D9B08 ZwSetInformationKey

SSDT 857066E8 ZwSetInformationProcess

SSDT 86792728 ZwSetInformationThread

SSDT 86536730 ZwSetSystemInformation

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF5AA5A50]

SSDT 865390B8 ZwSuspendProcess

SSDT 8654F500 ZwSuspendThread

SSDT 86587358 ZwTerminateProcess

SSDT 8656AC08 ZwTerminateThread

SSDT 865B37E8 ZwUnmapViewOfSection

SSDT 85706898 ZwWriteVirtualMemory

 

---- Devices - GMER 1.0.14 ----

 

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

 

Device \Driver\Tcpip \Device\Ip 8675C2A8

Device \Driver\Tcpip \Device\Ip 86609718

Device \Driver\Tcpip \Device\Ip 86572530

Device \Driver\Tcpip \Device\Ip 86348430

Device \Driver\Tcpip \Device\Ip 86292970

Device \Driver\Tcpip \Device\Ip 864D8A00

 

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

 

Device \Driver\Tcpip \Device\Tcp 8675C2A8

Device \Driver\Tcpip \Device\Tcp 86609718

Device \Driver\Tcpip \Device\Tcp 86572530

Device \Driver\Tcpip \Device\Tcp 86348430

Device \Driver\Tcpip \Device\Tcp 86292970

Device \Driver\Tcpip \Device\Tcp 864D8A00

 

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

 

Device \Driver\Tcpip \Device\Udp 8675C2A8

Device \Driver\Tcpip \Device\Udp 86609718

Device \Driver\Tcpip \Device\Udp 86572530

Device \Driver\Tcpip \Device\Udp 86348430

Device \Driver\Tcpip \Device\Udp 86292970

Device \Driver\Tcpip \Device\Udp 864D8A00

 

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

 

Device \Driver\Tcpip \Device\RawIp 8675C2A8

Device \Driver\Tcpip \Device\RawIp 86609718

Device \Driver\Tcpip \Device\RawIp 86572530

Device \Driver\Tcpip \Device\RawIp 86348430

Device \Driver\Tcpip \Device\RawIp 86292970

Device \Driver\Tcpip \Device\RawIp 864D8A00

 

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

 

Device \Driver\Tcpip \Device\IPMULTICAST 8675C2A8

Device \Driver\Tcpip \Device\IPMULTICAST 86609718

Device \Driver\Tcpip \Device\IPMULTICAST 86572530

Device \Driver\Tcpip \Device\IPMULTICAST 86348430

Device \Driver\Tcpip \Device\IPMULTICAST 86292970

Device \Driver\Tcpip \Device\IPMULTICAST 864D8A00

 

---- EOF - GMER 1.0.14 ----

 

 

ComboFix 09-01-08.05 - Andy 2009-01-09 12:31:37.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.661 [GMT -5:00]

Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe

AV: Norton Internet Security *On-access scanning disabled* (Updated)

FW: Norton Internet Security *disabled*

FW: Webroot Internet Security Essentials *disabled*

* Created a new restore point

.

 

((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))

.

 

2009-01-09 12:01 . 2009-01-09 12:01 410,984 --a------ c:\windows\system32\deploytk.dll

2009-01-09 12:01 . 2009-01-09 12:01 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-01-09 12:00 . 2009-01-09 12:00 <DIR> d-------- c:\program files\Java

2009-01-09 00:43 . 2009-01-09 00:55 <DIR> d-------- c:\program files\SpeedFan

2009-01-09 00:43 . 2009-01-09 00:43 45 --a------ c:\windows\system32\initdebug.nfo

2009-01-08 11:14 . 2009-01-08 11:14 <DIR> d-------- c:\program files\MSXML 4.0

2009-01-07 18:14 . 2009-01-07 18:14 <DIR> d-------- c:\documents and settings\Andy\Application Data\Malwarebytes

2009-01-07 18:13 . 2009-01-07 18:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-07 18:13 . 2009-01-07 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-07 18:13 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-07 18:13 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-07 18:05 . 2009-01-09 11:44 <DIR> d-------- C:\Computer security

2009-01-06 23:20 . 2009-01-06 23:20 <DIR> d-------- c:\program files\Webroot

2009-01-06 23:20 . 2009-01-06 23:20 <DIR> d-------- c:\documents and settings\Andy\Application Data\Webroot

2009-01-06 23:20 . 2009-01-06 23:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Webroot

2009-01-06 23:20 . 2008-11-13 17:11 1,553,272 --a------ c:\windows\WRSetup.dll

2009-01-06 23:06 . 2009-01-06 23:19 164 --a------ C:\install.dat

2009-01-06 23:04 . 2009-01-06 23:04 <DIR> d-------- C:\Spy Sweeper

2009-01-06 13:06 . 2009-01-06 13:06 664 --a------ c:\windows\system32\d3d9caps.dat

2008-12-27 18:19 . 2008-12-27 18:19 <DIR> d--h----- c:\windows\system32\GroupPolicy

2008-12-24 10:26 . 2009-01-06 11:14 <DIR> d-------- c:\documents and settings\Cedar

2008-12-20 02:54 . 2008-12-20 02:54 <DIR> d-------- c:\program files\Microsoft.NET

2008-12-19 20:33 . 2006-10-22 12:22 208,896 --a------ c:\windows\system32\nvudisp.exe

2008-12-19 20:33 . 2009-01-09 10:36 88,566 --a------ c:\windows\system32\nvapps.xml

2008-12-19 20:33 . 2006-10-22 12:22 17,056 --a------ c:\windows\system32\nvdisp.nvu

2008-12-19 20:32 . 2008-12-19 20:32 <DIR> d-------- C:\NVIDIA

2008-12-19 20:32 . 2006-10-22 15:06 208,896 --a------ c:\windows\system32\NVUNINST.EXE

2008-12-19 20:19 . 2008-12-19 20:19 <DIR> d-------- c:\program files\SystemRequirementsLab

2008-12-19 18:55 . 2008-12-19 18:55 <DIR> d-------- c:\program files\Microsoft Silverlight

2008-12-19 18:55 . 2007-12-20 10:43 248,448 --a------ c:\windows\system32\PROUnstl.exe

2008-12-19 18:52 . 2008-12-19 18:52 <DIR> d-------- c:\program files\Windows Media Connect 2

2008-12-19 18:51 . 2008-12-19 18:51 <DIR> d-------- c:\windows\system32\LogFiles

2008-12-19 18:51 . 2008-12-19 18:51 <DIR> d-------- c:\windows\system32\drivers\UMDF

2008-12-19 18:46 . 2008-12-19 20:34 <DIR> d-------- c:\windows\nview

2008-12-19 18:45 . 2008-12-19 18:45 <DIR> d-------- c:\program files\CONEXANT

2008-12-19 18:43 . 2008-12-19 18:43 <DIR> d-------- c:\windows\system32\URTTemp

2008-12-19 17:29 . 2006-10-26 19:58 30,512 --a------ c:\windows\system32\mdimon.dll

2008-12-19 17:28 . 2008-12-19 17:28 <DIR> d-------- c:\program files\Microsoft Works

2008-12-19 17:24 . 2008-12-19 17:27 <DIR> d-------- c:\windows\SHELLNEW

2008-12-19 17:23 . 2009-01-01 16:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help

2008-12-19 16:14 . 2008-04-13 13:45 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys

2008-12-19 15:51 . 2008-12-19 15:51 <DIR> dr-h----- C:\MSOCache

2008-12-19 15:50 . 2008-12-19 15:59 376 --a------ c:\windows\ODBC.INI

2008-12-19 15:43 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll

2008-12-19 15:43 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

2008-12-18 20:51 . 2008-12-18 20:51 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2008-12-18 20:51 . 2008-12-18 20:51 <DIR> d-------- c:\program files\Common Files\Adobe

2008-12-18 19:32 . 2008-12-18 19:32 <DIR> d-------- c:\documents and settings\Andy\Application Data\Apple Computer

2008-12-18 19:32 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll

2008-12-18 19:32 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys

2008-12-18 19:31 . 2008-12-18 19:32 <DIR> d-------- c:\program files\iTunes

2008-12-18 19:31 . 2008-12-18 19:31 <DIR> d-------- c:\program files\iPod

2008-12-18 19:31 . 2008-12-18 19:31 <DIR> d-------- c:\program files\Bonjour

2008-12-18 19:31 . 2008-12-18 19:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-18 19:30 . 2008-12-18 19:32 <DIR> d----c--- c:\windows\system32\DRVSTORE

2008-12-18 19:30 . 2008-12-18 19:31 <DIR> d-------- c:\program files\QuickTime

2008-12-18 19:30 . 2008-12-18 19:30 <DIR> d-------- c:\program files\Apple Software Update

2008-12-18 19:30 . 2008-12-18 19:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer

2008-12-18 19:29 . 2008-12-18 19:31 <DIR> d-------- c:\program files\Common Files\Apple

2008-12-18 19:29 . 2008-12-18 19:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple

2008-12-18 17:38 . 2008-12-18 17:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec

2008-12-18 17:11 . 2008-12-18 17:11 <DIR> dr------- c:\program files\Norton Support

2008-12-18 14:56 . 2008-12-11 22:28 36,272 -ra------ c:\windows\system32\drivers\SymIM.sys

2008-12-18 14:44 . 2008-12-19 15:42 <DIR> d-------- c:\program files\NOS

2008-12-18 14:44 . 2008-12-19 15:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2008-12-18 14:17 . 2008-12-18 14:17 0 --a------ c:\windows\nsreg.dat

2008-12-18 13:52 . 2008-10-16 15:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll

2008-12-18 13:52 . 2007-04-17 04:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat

2008-12-18 13:52 . 2007-03-08 00:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui

2008-12-18 13:52 . 2008-10-16 15:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll

2008-12-18 13:52 . 2008-10-16 15:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll

2008-12-18 13:52 . 2008-10-16 15:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll

2008-12-18 13:52 . 2008-10-16 15:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll

2008-12-18 13:52 . 2008-10-16 15:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll

2008-12-18 13:52 . 2008-10-16 08:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe

2008-12-18 13:23 . 2008-12-18 13:23 <DIR> d-------- c:\windows\system32\scripting

2008-12-18 13:23 . 2008-12-18 13:23 <DIR> d-------- c:\windows\system32\en

2008-12-18 13:23 . 2008-12-18 13:23 <DIR> d-------- c:\windows\system32\bits

2008-12-18 13:23 . 2008-12-18 13:23 <DIR> d-------- c:\windows\l2schemas

2008-12-18 13:20 . 2008-12-18 13:23 <DIR> d-------- c:\windows\ServicePackFiles

2008-12-18 13:02 . 2004-08-03 22:29 701,440 --------- c:\windows\system32\drivers\ati2mtag.sys

2008-12-18 12:52 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys

2008-12-18 12:51 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

2008-12-18 12:51 . 2008-08-14 05:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys

2008-12-18 12:50 . 2008-10-15 20:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll

2008-12-18 12:50 . 2008-10-16 15:38 1,160,192 -----c--- c:\windows\system32\dllcache\urlmon.dll

2008-12-18 12:50 . 2008-10-16 15:38 826,368 -----c--- c:\windows\system32\dllcache\wininet.dll

2008-12-18 12:49 . 2008-12-13 01:40 3,593,216 -----c--- c:\windows\system32\dllcache\mshtml.dll

2008-12-18 12:49 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2008-12-18 12:49 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-12-18 12:49 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-12-18 12:49 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2008-12-18 12:49 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

2008-12-18 12:49 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll

2008-12-18 12:49 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-12-18 12:49 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll

2008-12-18 12:49 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys

2008-12-18 12:48 . 2008-12-18 12:48 <DIR> d--hs---- c:\documents and settings\Andy\UserData

2008-12-18 12:48 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-12-18 12:48 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2008-12-18 12:47 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe

2008-12-18 12:35 . 2008-12-18 17:07 <DIR> d-------- c:\windows\system32\drivers\NIS

2008-12-18 12:35 . 2008-12-18 12:35 <DIR> d-------- c:\program files\Windows Sidebar

2008-12-18 12:35 . 2008-12-18 12:35 <DIR> d-------- c:\program files\Symantec

2008-12-18 12:35 . 2008-12-18 12:35 <DIR> d-------- c:\program files\Norton Internet Security

2008-12-18 12:35 . 2008-12-18 13:29 <DIR> d-------- c:\program files\Common Files\Symantec Shared

2008-12-18 12:35 . 2008-12-18 12:35 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS

2008-12-18 12:35 . 2008-12-18 12:35 60,808 --a------ c:\windows\system32\S32EVNT1.DLL

2008-12-18 12:35 . 2008-12-18 12:35 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT

2008-12-18 12:35 . 2008-12-18 12:35 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF

2008-12-18 12:34 . 2008-12-18 12:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton

2008-12-18 12:26 . 2008-12-18 12:26 <DIR> d-------- c:\program files\NortonInstaller

2008-12-18 12:26 . 2008-12-18 12:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-20 01:32 --------- d-----w c:\program files\Common Files\InstallShield

2008-12-13 01:56 --------- d-----w c:\program files\Hewlett-Packard

2008-12-13 01:51 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-13 01:51 --------- d-----w c:\program files\Turtle Beach

2008-12-13 01:51 --------- d-----w c:\program files\Common Files\Voyetra

2008-12-13 01:39 --------- d-----w c:\program files\Netropa

2008-12-13 01:29 --------- d-----w c:\program files\NETGEAR

2008-12-13 01:04 --------- d-----w c:\program files\microsoft frontpage

2008-11-12 21:02 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys

2008-11-12 21:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys

2008-11-12 21:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll

2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]

@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"

[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]

2008-11-13 17:04 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"nwiz"="c:\windows\system32\nwiz.exe" [2006-10-22 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2002-04-03 290816]

"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2008-11-13 6273400]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2008-12-12 1056864]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

 

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS --> \SystemRoot\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [?]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-18 255536]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [2008-12-18 362544]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081220.001\IDSxpx86.sys [2008-12-20 274808]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-18 99376]

R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2008-12-12 144768]

R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2008-12-12 545088]

R4 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-18 115560]

R4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-01-06 1086840]

 

--- Other Services/Drivers In Memory ---

 

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

*NewlyCreated* - PCANDIS5

.

Contents of the 'Scheduled Tasks' folder

 

2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: *.update.microsoft.com

Trusted Zone: download.windowsupdate.com

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll

FF - ProfilePath - c:\documents and settings\Andy\Application Data\Mozilla\Firefox\Profiles\tbxuoa66.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll

FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-09 12:37:12

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet

Share this post


Link to post
Share on other sites

Your logs appear clean. Lets run 1 more tool now. This tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I only want to see a Report of what it finds.

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

 

Doubleclick the drweb-cureit.exe file and click 'Start' to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

  • Once the short scan has finished, we need to change the default settings.
  • In the Menu Bar at the top, click 'Setting'>Change Settings.
  • Click on the Actions tab
  • Using the drop down menus, change each item under Objects and Malware to Report
  • Next, 'tick' Complete Scan.
  • Click the green arrow at the right, and the scan will start.
  • Click 'No to All' if it asks if you want to cure/move the file.
  • After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post the contents of the log from Dr.Web you saved previously in your next reply.

 

 

Look again in the Task Manager for the process consuming CPU cycles and get the exact process name for me please. Should be something with an exe extension.

Share this post


Link to post
Share on other sites

Below is the DrWeb log that you requested:

 

data002\32788R22FWJFW\C.bat;C:\Computer security\ComboFix\ComboFix.exe\data002;Probably BATCH.Virus;;

data002\32788R22FWJFW\psexec.cfexe;C:\Computer security\ComboFix\ComboFix.exe\data002;Program.PsExec.171;;

data002;C:\Computer security\ComboFix\ComboFix.exe;Archive contains infected objects;;

ComboFix.exe;C:\Computer security\ComboFix;Archive contains infected objects;;

data002\32788R22FWJFW\C.bat;C:\Documents and Settings\Andy\Desktop\ComboFix.exe\data002;Probably BATCH.Virus;;

data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Andy\Desktop\ComboFix.exe\data002;Program.PsExec.171;;

data002;C:\Documents and Settings\Andy\Desktop\ComboFix.exe;Archive contains infected objects;;

ComboFix.exe;C:\Documents and Settings\Andy\Desktop;Archive contains infected objects;;

A0007980.bat;C:\System Volume Information\_restore{240FE57D-533E-4FB5-922A-A12BCC0C250B}\RP47;Probably BATCH.Virus;;

 

The PC behaved OK for at least 3-4 hours today, but for the past two hours, both Task Manager and Norton IS 2009 have indicated that CPU usage is 100%. Task Manager shows that "System" is the process consuming 83% of the CPU time, although it can fluctuate as low as 70% and as high as 87%. Memory usage for the process is relatively low: just 236K.

 

After "System," the most CPU-intensive processes are ccSvcHst.exe, WG111CFG.exe, and explorer.exe.

 

Thanks for looking at the logs.

Edited by Maple

Share this post


Link to post
Share on other sites

Nothing of concern in that log.

 

 

 

Please download Process Explorer from Microsoft Sysinternals.

 

Extract the contents of the zip file to their own folder, open the folder and run procexp.exe

 

Click the entry System once to select it.

 

Click View on the menu, then make sure Show Lower Pane is checked.

 

You should have a split window with upper and lower panes.

 

Click View>Lower Pane View and select DLLs

 

The lower pane will populate.

 

When the System process is consuming a lot of CPU cycles, click File>Save As in Process Explorer.

 

Save it to a convenient location (it will default to the name System.txt)

 

 

 

Now click View>Lower Pane View and select Handles

 

When the lower pane populates, and with the System process at high CPU usage, save another log and name it System1.txt

 

 

 

Attach both logs in an email to me for review.

 

Put RE:PCP logs in the Subject line.

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...